Cyber Insurance: Is it worth it?
Did you know according to a report from McAfee the total global losses from cybercrime topped an estimated one trillion dollars just in the year 2020? This amount is expected to increase to six trillion in 2021. With just the amount lost to cybercrime in 2020 you could buy two million Rolls Royce cars or pay the salary for approximately 18 million teachers! That is a lot of money being lost to cyber criminals! To help prevent the massive amounts of money and data being lost to cybercrime, cyber insurance could be used to help raise security standards over a wide range of companies so that the overall crime rate is significantly reduced.
To understand a little bit more about the history of cyber insurance, let’s look at where it first started. The earliest form of cyber insurance was first created in the 1990s and covered online media and errors made in data processing. Since then, there has been a gradual increase in the number of companies who have started adopting cybersecurity policies in hopes of protecting their companies from potential threats and malicious hackers. Some newer policies started covering threats such as malware, ransomware, and data breaches along with many other areas of security. To help reach larger audiences, insurance companies allow businesses to pick and choose which policies are the best for their needs. By doing so, the cost of insurance for companies is significantly reduced because they can purchase only necessary coverage. There are, however, several questions and concerns that one might have when considering cyber insurance and the role that the insurance plays in a company’s security.
Many might have the misconception that by insuring themselves against cyber-attacks, the company is offloading responsibility onto the insurance company and that it is no longer the company’s fault if any attacks occur. In fact, if done correctly, the responsibility and the standards of the company would increase if they became insured. This is because the goal of cyber insurance is to work like a net under a tight rope artist. It is there to protect the artist from potential risks even after one takes all other precautionary measures. In some instances, there might still be some damage, but it is better than falling on the cold, hard ground. For example, even after a company has put into place all the necessary security checks, controls, and monitoring, sudden ransomware attacks and insider information leaks can occur. If that company has cyber insurance, it serves as a safety net to protect the business and the information of all its users.
But what about the information lost? And what about the customers? How does a customer know if the company is telling the whole truth about the safety of their data? Thankfully, the Cybersecurity Information Sharing Act was introduced in 2015 to ensure that companies and businesses can share specific information about their security measures without fear of liability or other negative consequences. Businesses can share any threat indicators or defensive measures put in place, along with any potential or current attack information with the federal state and local governments and other companies and private entities. So now it comes down to the policies put in place to inform customers that their data was leaked within a certain time frame. From there, the company would have to put into place a series of steps to recover the customer’s information and make sure that none of it has been leaked or compromised. However, there is a silver lining to this. Not all information that has been stolen is used or accessed; it is kept by the hackers to get money from companies, and the larger the company, the larger the payout. Some hackers are in it for the money and never really touch the information, while others with more malicious intent try to access all the files and either sell it or use it to cause more harm. The latter is what we are trying to protect users from. Cyber insurance can provide companies a framework to make sure the company’s security meet a minimum standard so that the occurrence of many common cyberattacks such as phishing and social engineering attacks can be reduced significantly while also protecting and providing a plan of action in case something goes wrong. And based on the severity of the situation, insurance companies can provide extra support via security personnel, professional advice or whatever is deemed necessary at that point for the company and its customers.
Cyber insurance is commonly associated with medium to large tech companies who are operating in the cyber space. Although such companies need to be insured, it is also crucial for companies in different areas to be covered as well. Cyber insurance is not and should not be just for large tech companies. It is for small bakeries, cafes, hospitals, banks, and anywhere customers can use their credit cards, which in modern times (especially after the COVID-19 pandemic) are used essentially everywhere. Ensuring the physical and virtual safety of the places we go to daily can allow for people to go about their lives without worrying if their personal information has been compromised. It has only been within the past few years that people have been seriously paying attention to what is happening in the cyber space. After the Sony Pictures attack in 2014, in which personally identifiable information and internal business communications were stolen, (former) President Obama mentioned that the cyber space is still an area that needs to be developed and regulated. Later in 2016, the North Atlantic Treaty Organization (NATO) also declared cyber space as a domain of operations that needs to be protected and defended. However, despite the warnings that have been issued, there has been a considerable increase in the number of cyber-attacks that have taken place within many companies and individuals since then. There have been several policies such as the General Data Protection Regulation (GDPR) which have been put into effect to help protect users online, but much more must be done to ensure online safety for users of all ages. The 2021 attack on the Colonial Pipeline was also covered extensively by the media. It is a good example of how cyber insurance helped the company handle the situation and allowed them to pay the least amount of ransom they could to the hackers. There is more to the situation than what is being outlined here but it is important to understand the difference that cyber insurance has made within this situation and what could have happened had there not been the safety net of insurance with them.
So far, we have been focused on the specifics of being insured, now let’s take a step back and look at the big picture. Companies are the ones that are at risk and need to be insured but it is also important to make sure that cyber insurance companies are also following the rules. Since there has been an increase in the demand for insurance companies that provide such policies, it is easy for popular insurance companies to take advantage of their customers whether they are large corporations or your local small businesses. There are laws and regulations preventing this from happening but as the demand for more protection grows, the potential to misuse this power grows as well. It would be unwise to claim the businesses and customers are the only ones in need of regulation.
All things considered, cyber insurance is only one aspect of security within a company and for it to be effective, it is necessary to be put in place along with several other preventative measures. For instance, measures like training for all the employees in a company based on their roles, company-wide audits, and updating and patching all the software a business all contribute to a company’s cyber security. In the future, with the addition of more policies and regulations being put in place this will also help provide a more structured cyber space and will allow for any suspicious activities and potential crimes to be caught before they become large problems. Through this combined effort everyone becomes a part of working towards a safer cyber space within their business and hopefully over time it adds up so that the overall cybercrime rate is reduced. So, is cyber insurance worth it? That is for you to decide, but the longer it takes for change to occur the easier it becomes for cyber criminals to steal data and money from you.
Want to stay updated on our blog posts and more Softrams news? Follow us on LinkedIn!
